It is known in the art to elicit replicative behavior of undesirable software entities, such as computer viruses, to facilitate the detection and removal of these software entities from infected programs. Note that an undesirable software entity may not necessarily be a malicious program, as its execution may not result directly in the intentional destruction of files, boot records and the like.
For the purposes of this patent application, a Computer Virus is defined as follows: a virus is a self-replicating program or routine that spreads in a possibly modified manner without direct human interaction. Reference in this regard maybe had to commonly assigned U.S. Pat. No. 5,613,002, incorporated by reference herein in its entirety.
As employed herein, a Worm program is one that can clandestinely send a copy of itself between computers on a computer network, and that uses a network service or services to replicate. Examples of such network services include, but are not limited to, routing, name resolution and mail storage.
Also for purposes of this patent application, a Trojan Horse program is defined as a program that need not replicate or copy itself, but that damages or compromises the security of the computer. An example of a Trojan Horse program includes a script hidden in a joke email, which is manually distributed. Another example of a Trojan Horse Program includes an entire program, such as a screen saver that is freely distributed.
Replicative behavior is not the only behavior exhibited by undesirable software entities, at least in the sense that replicative behavior is exhibited by computer viruses. This creates a different type of problem in computer systems, as some undesirable software entities make changes to the system state in addition to replicating. These changes to the system state can include modifications made to, for example, files, records, registries, logs and so forth. These changes to the system state may be referred to as “side effects”, i.e., the tangible result or results of the execution of the undesirable software entity in an infected computer system (and/or computer network). Prior to this invention, the automated detection of side effects was not adequately provided for, and thus the automated removal of the changes made to the system by the responsible undesirable software entity could be incomplete. This is true at least for the reason that conventional disinfection methods and systems will successfully remove the undesirable software entity itself, but they will fail to remove the side effects caused by the undesirable software entity. The (previously unmet) goal of such detection and removal would be the automatic restoration of the system to the state that existed prior to the infection.
In the current state of the art the detection of side effects was a manually intensive process that produced inconsistent, inefficient and unreliable results. Even in the framework of the automated analysis of malicious software, the samples containing side effects were typically deferred for human examination. This resulted in a slowing of response time which, as can be appreciated, may be very undesirable when faced with a new instance of a malicious and fast spreading virus, worm or widespread Trojan horse. In many commercial anti-virus products the side effects, such as created files, are only noticed if they contain the signature of a known virus, worm or Trojan horse, thereby limiting their ability to detect side effects associated with malicious software.
The dynamic analysis of suspected computer viruses is described in commonly assigned U.S. Pat. No. 5,440,723, “Automatic immune system for computers and computer networks” by William C. Arnold et al. A method for the automated replication and analysis of worms is described in the commonly assigned U.S. patent application Ser. No. 09/640,453, filed Aug. 17, 2000, “Method and apparatus for replicating and analyzing worm programs” by William C. Arnold et al. A method for the automatic analysis of computer viruses and the generic repair is described in commonly assigned U.S. Pat. No. 5,485,575, “Automatic analysis of a computer virus structure and means of attachment to the host” by David M. Chess et al. A generic repair technique is described in U.S. Pat. No. 6,067,410, “Emulation repair systems” by Carey Nachenberg.
All of these patents concentrate on the replicative behavior of malicious software. Currently, the inventors are not aware of automated procedures and systems for the detection of non-replicative changes made to an infected computer system.